Malware that paralyzed South Korea in March is related to military intelligence

(Cc) Emmanuel Dyan / Flickr

Those responsible for the attack of Malware in March wiped the hard drives of thousands of computers in South Korea are part of the same group that has tried to obtain military secrets of that country and the United States, said an investigation by McAfee.

The study’s conclusion surprising, because most groups try to keep a secret spy and ensure that their threats to capture as much data without being detected.’s Attack “Dark Seoul” was extremely striking yet due to their coordinated detonation . The malware is triggered in the government, banks and the media exactly at 2 pm on March 20, affecting payment systems, ATMs and more . Until now, researchers had assumed that it was an unknown group that sought to provoke chaos.

Actually, Dark Seoul was part of “Operation Trojan,” a long-term campaign targeting military organizations, and whose beginnings date back to 2009. The secret operation used malware on compromised machines, which methodically sought military terms and unloaded only documents deemed important. The machines malware entered through failure “zero day” in military social network. The technique for transmission is known as “water hole attack” because the malware is installed in places that are supposed to be frequented by people who are looking infect – such as predators attack prey when they are drinking water.

“Attackers have tried since 2009 to install the capacity to destroy their targets using a component to erase MBR, as seen in the incident Dark Seoul. From our analysis we have established that Operation Troy had an early focus on intelligence gathering military targets in South Korea. We have also linked high-profile public campaigns conducted in recent years against Korea for Operation Trojan, suggesting that a single group is responsible, “said McAfee in their study.

One of the pillars of Dark Seoul is the destruction of the master boot record (MBR) or Master Boot Record of the infected machines. This ability was also in remote access troyando in Operation Trojan used to remove data compromised machines in which they were being disinfected detected. By destroying the machines, the attackers had more options to hide their attacks.’s Malware these two attacks was not identical, but McAfee says there are enough similarities to say they came from the same group.

It is not known, however, why it detonated Dark Seoul. According to McAfee, the attack was intentional and not an accident. Trying to hide his presence destroying thousands of machines simultaneously does not seem a good idea.